Career Roadmap
Azure Administrator: Zero to Hero
This roadmap is structured around the five official AZ-104 exam domains and their 2026 weightings. The exam was updated April 17, 2026 — this roadmap reflects the current skills measured. Each step maps directly to a domain so preparation is proportional to exam weight, not personal preference. Use ExamOS practice quizzes at every step to make progress measurable before booking your exam.
Embark on your career roadmap by setting a target and staying accountable
Set targetStep 0 - IT and cloud foundations
Build the core IT foundations that AZ-104 assumes. The exam does not test these topics explicitly but the scenario questions are significantly harder to reason through without them.
2-3 weeks2-3 weeks
Step 0 - IT and cloud foundations
Build the core IT foundations that AZ-104 assumes. The exam does not test these topics explicitly but the scenario questions are significantly harder to reason through without them.
- Networking fundamentals — IP addressing, subnets, CIDR notation, DNS, DHCP, routing, TCP/IP
- Operating system basics — Windows Server and Linux file systems, permissions, processes, remote management
- Virtualization concepts — hypervisors, VMs, virtual networks, virtual disks
- Storage fundamentals — block, file, and object storage, RAID concepts, backup versus replication
- Directory services basics — what Active Directory does, domain versus workgroup, user and group management
- Command line basics — PowerShell and Bash fundamentals, navigating file systems, running scripts
💡 Candidates with existing IT experience (sysadmin, network admin, help desk) can move through this step quickly. Candidates transitioning from non-IT roles should invest the full 2-3 weeks.
💡 PowerShell and Azure CLI both appear in AZ-104 scenario questions at a recognition level. You will see commands and need to identify whether they would produce the described result. Practice basic Azure CLI and PowerShell syntax throughout the entire roadmap, not just in this step.
💡 AZ-900 (Azure Fundamentals) is optional. Candidates with no cloud experience may benefit from completing it before AZ-104. Candidates with general IT backgrounds can proceed directly to Step 1.
Step 1 - Azure platform orientation and AZ-900
Build familiarity with the Azure platform, management interfaces, and core architectural concepts before working with specific services in depth.
2-3 weeks2-3 weeks
Step 1 - Azure platform orientation and AZ-900
Build familiarity with the Azure platform, management interfaces, and core architectural concepts before working with specific services in depth.
- Azure global infrastructure — regions, availability zones, region pairs, sovereign clouds
- Azure management interfaces — Azure portal navigation, Azure CLI installation and basics, PowerShell Az module
- Azure Resource Manager (ARM) — the management layer, resource providers, API versions
- Resource Groups — purpose, design patterns, regional considerations, resource locks
- Azure subscriptions — types, limits, management group hierarchy
- Azure pricing models — consumption-based versus reserved, cost calculator, pricing differences by tier
- Azure free account — what is available for free and how to use it for labs throughout this path
Certifications
💡 AZ-900 validates foundational Azure literacy and is a practical first credential for candidates newer to cloud. 40-60 questions, 45 minutes, 700 passing score.
💡 The most important outcome from this step is comfort navigating the Azure portal and running basic commands in CLI and PowerShell. Every subsequent step assumes this fluency.
💡 Use ExamOS quizzes to confirm Azure foundational understanding before moving into domain-specific preparation.
💡 Set up a free Azure account now. Hands-on lab time throughout this path is as valuable as study time.
Step 2 - Identity, governance, and compliance (Domain 1 — 20-25%)
Manage identities, control access, and enforce governance across Azure environments. This is jointly the highest-weighted domain at 20-25% and the one most candidates underestimate in preparation depth.
3-4 weeks3-4 weeks
Step 2 - Identity, governance, and compliance (Domain 1 — 20-25%)
Manage identities, control access, and enforce governance across Azure environments. This is jointly the highest-weighted domain at 20-25% and the one most candidates underestimate in preparation depth.
- Microsoft Entra ID (formerly Azure AD) — tenant architecture, user types (member versus guest), user creation and management
- Group management — security groups, Microsoft 365 groups, dynamic membership rules
- Entra ID Connect — hybrid identity, password hash sync, pass-through authentication, federation
- Administrative units — scoping admin roles to subsets of the directory
- Azure RBAC — built-in roles, custom roles, role assignments, scope hierarchy (management group, subscription, resource group, resource)
- Role assignment inheritance and how deny assignments work
- Microsoft Entra ID Privileged Identity Management (PIM) basics — eligible versus active assignments, activation requirements
- Azure Policy — policy definitions, initiatives, assignment scopes, effect types (Audit, Deny, DeployIfNotExists, Modify)
- Resource locks — ReadOnly versus Delete, lock inheritance, interaction with RBAC
- Azure Blueprints and Landing Zones concepts at an administrator level
- Subscription management — moving resources between resource groups and subscriptions, resource limits
- Cost Management — budgets, alerts, cost analysis, Azure Advisor cost recommendations
Certifications
💡 Identity and Governance is the 20-25% domain that most surprises candidates because of the depth at which RBAC and Policy are tested. Knowing that RBAC uses roles is not sufficient. Knowing what happens when multiple role assignments conflict, what scope a custom role must be assigned at, and how DeployIfNotExists remediation works are all exam-level topics.
💡 The distinction between Entra ID roles and Azure RBAC roles is the most consistently missed concept on AZ-104. These are two separate systems. Entra ID roles control directory operations. Azure RBAC controls resource operations. Getting them confused costs multiple marks.
💡 PIM is tested at a basic configuration level on AZ-104. Deeper PIM knowledge (approval workflows, access reviews) is more relevant for SC-300. Know what PIM is and why eligible assignments are preferable to permanent active assignments.
💡 Use ExamOS daily scenario practice specifically targeting RBAC scope decisions and Azure Policy effect selection — the two topics where most candidates lose the most marks in this domain.
Step 3 - Azure networking (Domain 4 — 15-20%)
Design, implement, and troubleshoot Azure virtual networks. Networking is consistently rated the most difficult domain by AZ-104 candidates and requires the most hands-on practice to build genuine operational reasoning.
4-5 weeks4-5 weeks
Step 3 - Azure networking (Domain 4 — 15-20%)
Design, implement, and troubleshoot Azure virtual networks. Networking is consistently rated the most difficult domain by AZ-104 candidates and requires the most hands-on practice to build genuine operational reasoning.
- Virtual Networks (VNets) — address space planning, subnet design, system routes
- Network Security Groups (NSGs) — inbound and outbound rules, priority evaluation (lowest number first), default rules, application security groups
- Network Security Group flow logs — enabling, storage, and querying
- VNet peering — regional and global peering, non-transitivity, gateway transit configuration
- User Defined Routes (UDRs) — route tables, next hop types, subnet association, when UDRs override system routes
- Azure DNS — public zones, private zones, VNet links, auto-registration, split-horizon DNS
- Azure Bastion — AzureBastionSubnet requirements (/26 minimum), browser-based RDP/SSH, no public IP on VM
- Azure Load Balancer — Standard versus Basic, frontend IP, backend pool, health probes, load balancing rules, NAT rules
- Azure Application Gateway — Layer 7 routing, URL-based routing, WAF integration, SSL termination
- Azure Traffic Manager — DNS-based routing, routing methods (performance, priority, weighted, geographic)
- Azure Front Door — global Layer 7 load balancing, WAF, caching, origin groups
- VPN Gateway — site-to-site VPN, point-to-site VPN, VNet-to-VNet, gateway SKUs, BGP
- ExpressRoute — dedicated private connectivity, circuits, peering types, when to choose over VPN
- Service Endpoints versus Private Endpoints — what each does, when each is appropriate, DNS implications
- Network Watcher — connection troubleshoot, IP flow verify, next hop, NSG diagnostics, packet capture
- Azure Firewall — standard versus premium, DNAT rules, network rules, application rules, policy management
Certifications
💡 Networking is Domain 4 at 15-20% but is rated the hardest domain by the majority of candidates who have passed AZ-104. The combination of NSG rule evaluation order, VNet peering non-transitivity, UDR behavior, and Private Endpoint DNS configuration creates complex multi-concept scenario questions that require operational reasoning rather than definition recall.
💡 VNet peering non-transitivity is the single most exploited concept in networking scenarios. If VNet A peers with VNet B and VNet B peers with VNet C, resources in VNet A cannot reach VNet C through VNet B. A direct peering or a hub-and-spoke topology with transit routing is required.
💡 Private Endpoints require DNS configuration changes to work correctly. The exam tests what happens when a Private Endpoint is created but DNS is not updated — the connection fails even though the endpoint exists.
💡 Azure Bastion subnet naming is an exact-match requirement. The subnet must be named AzureBastionSubnet. Any other name causes the deployment to fail. This specific detail appears in scenario questions about broken Bastion deployments.
💡 Build every major networking concept in the Azure free tier. Creating VNets, peering them, configuring NSG rules, and testing connectivity from a VM is the preparation that makes these scenario questions answerable under time pressure.
💡 Use ExamOS daily networking practice. This is the domain that produces the most exam day surprises for candidates who prepared conceptually rather than operationally.
Step 4 - Compute resource deployment and management (Domain 3 — 20-25%)
Deploy and manage Azure compute resources across virtual machines, containers, and platform services. Compute is jointly the highest-weighted domain at 20-25% alongside Identity.
4-5 weeks4-5 weeks
Step 4 - Compute resource deployment and management (Domain 3 — 20-25%)
Deploy and manage Azure compute resources across virtual machines, containers, and platform services. Compute is jointly the highest-weighted domain at 20-25% alongside Identity.
- Virtual Machines — creation, configuration, VM sizes, availability options (availability sets versus availability zones)
- VM Scale Sets — autoscaling policies, scaling modes (manual, automatic, scheduled), upgrade policies
- Azure VM extensions — custom script extension, DSC extension, monitoring agents, domain join
- Azure Compute Gallery (formerly Shared Image Gallery) — image definitions, image versions, replication
- ARM templates — structure (parameters, variables, resources, outputs), deployment modes (incremental versus complete), what-if operations
- Bicep — relationship to ARM, basic syntax, modules, parameter files, deployment via CLI
- Azure Container Instances (ACI) — use cases, container groups, resource limits, when ACI versus AKS
- Azure Kubernetes Service (AKS) — cluster creation, node pools, basic operations, upgrade process
- Azure App Service — plans, deployment slots, deployment methods, custom domains, TLS certificates
- Azure App Service scaling — manual scaling, autoscale rules, scale-out versus scale-up
- Azure Functions — consumption plan versus premium plan, triggers, bindings, Durable Functions at a conceptual level
- Azure Container Apps — serverless containers, scaling to zero, managed environments
Certifications
💡 Compute at 20-25% includes both VMs and higher-level services. Candidates who focus heavily on VMs and neglect App Service, ACI, and ARM/Bicep templates consistently find gaps on exam day.
💡 VM Scale Set upgrade policies determine how VM instances are updated when the model changes. Manual, Automatic, and Rolling each have different implications for availability during updates.
💡 AKS is tested at a basic operational level on AZ-104. Node pools, cluster upgrades, and basic kubectl operations are in scope. Deep Kubernetes knowledge is not required here but helps.
💡 Use ExamOS for compute scenario questions that test scaling decisions, ARM template behavior, and service selection (when to use ACI versus AKS versus App Service for a described workload).
Step 5 - Storage implementation and management (Domain 2 — 15-20%)
Implement and manage Azure storage solutions across blobs, files, queues, tables, and managed disks.
3-4 weeks3-4 weeks
Step 5 - Storage implementation and management (Domain 2 — 15-20%)
Implement and manage Azure storage solutions across blobs, files, queues, tables, and managed disks.
- Storage Account types — Standard versus Premium, general purpose v2, Blob storage accounts
- Redundancy options — LRS, ZRS, GRS, GZRS, RA-GRS, RA-GZRS — what each provides and when to choose each
- Blob storage — access tiers (Hot, Cool, Cold, Archive), lifecycle management policies, soft delete, versioning
- Blob storage access — public access levels, shared access signatures (SAS), stored access policies
- Azure Files — SMB and NFS shares, Azure File Sync, identity-based authentication (Entra ID, Active Directory)
- Storage Account security — firewall rules, virtual network service endpoints, private endpoints, Microsoft Trusted Services
- Storage Account encryption — Microsoft-managed keys versus customer-managed keys, infrastructure encryption
- Azure Managed Disks — disk types (Ultra, Premium SSD v2, Premium SSD, Standard SSD, Standard HDD), snapshots, disk encryption
- Azure Import/Export and AzCopy — large data transfer scenarios
- Storage Account access keys and connection strings — rotation, Key Vault integration
- Azure Storage Explorer — navigating and managing storage from a GUI
Certifications
💡 Storage redundancy options appear in scenario questions where RTO, RPO, or regional failure requirements determine the correct tier. RA-GRS and RA-GZRS allow read access from the secondary region — the other geo-redundant options do not. This distinction matters in availability scenario questions.
💡 Blob lifecycle management policies are tested at a configuration level. Know how to write a policy that moves objects from Hot to Cool after 30 days, to Archive after 90 days, and deletes them after 365 days.
💡 Azure File Sync is consistently underrepresented in preparation but appears in hybrid storage scenario questions. Know how cloud tiering works and what the namespace concept means.
💡 The difference between Service Endpoints and Private Endpoints for storage is tested in AZ-104 and is a pattern that applies across multiple storage scenarios. Service Endpoints extend the VNet identity to the storage service without a private IP. Private Endpoints provide a private IP within the VNet.
💡 Use ExamOS for storage scenario questions that test redundancy tier selection for described availability requirements and lifecycle policy design.
Step 6 - Monitoring, backup, and disaster recovery (Domain 5 — 10-15%)
Keep Azure environments healthy, recoverable, and observable. Monitoring and maintenance has the lightest domain weight at 10-15% but appears across all other domains in troubleshooting scenarios.
2-3 weeks2-3 weeks
Step 6 - Monitoring, backup, and disaster recovery (Domain 5 — 10-15%)
Keep Azure environments healthy, recoverable, and observable. Monitoring and maintenance has the lightest domain weight at 10-15% but appears across all other domains in troubleshooting scenarios.
- Azure Monitor — metrics, diagnostic settings, metric alerts, log alerts, action groups
- Log Analytics workspaces — workspace design, data sources, data retention settings
- KQL (Kusto Query Language) basics — simple queries for filtering and summarizing log data
- Application Insights — distributed tracing, availability tests, performance monitoring, smart detection
- Azure Monitor Workbooks and Dashboards — building operational visibility
- Azure Advisor — recommendations across cost, security, reliability, operational excellence, performance
- Azure Service Health — service issues, planned maintenance, health advisories
- Azure Backup — Recovery Services vault, backup policies, VM backup, Azure Files backup, SQL backup
- Azure Site Recovery — replication scenarios, failover and failback, recovery plans
- Azure Monitor for VMs and Network Watcher integration with monitoring
Certifications
💡 Azure Backup versus Azure Site Recovery is a distinction the exam tests specifically. Azure Backup protects data against accidental deletion, corruption, and ransomware. Azure Site Recovery replicates infrastructure for regional failover. They address different failure scenarios and are often wrong answers for each other's use case.
💡 Diagnostic settings are the mechanism by which Azure resource logs and metrics are sent to Log Analytics, Storage Account, or Event Hub. A scenario describing monitoring data that is not appearing in the expected destination is almost always a missing or misconfigured diagnostic setting.
💡 KQL queries appear in scenario questions at a recognition level. You need to understand what a given query does, not write complex queries from memory. Basic filter, project, and summarize operations are the scope.
💡 Recovery Services vault region is fixed at creation. A vault cannot be moved to a different region. This specific constraint appears in scenario questions about backup infrastructure design.
💡 Use ExamOS for monitoring scenario questions that test alert configuration decisions, Backup versus Site Recovery selection, and diagnostic settings troubleshooting.
Step 7 - Hands-on consolidation and exam readiness
Consolidate everything through integrated scenario practice and identify the specific gaps to close before booking the exam.
2-3 weeks2-3 weeks
Step 7 - Hands-on consolidation and exam readiness
Consolidate everything through integrated scenario practice and identify the specific gaps to close before booking the exam.
- Full end-to-end lab scenarios that combine networking, identity, compute, and storage
- CLI and PowerShell commands for each major resource type — enough to recognize correct syntax in exam questions
- Case study question technique — reading requirements before background, identifying constraints explicitly
- Domain-weighted practice — allocating remaining study time proportionally to exam domain weights
- Weak area targeting — using practice scores to identify and specifically address remaining gaps
Certifications
💡 AZ-104 includes case study questions. These present extended scenarios with multiple related questions drawing on the same Azure environment description. Candidates who have only practiced standalone multiple-choice questions are often caught off guard by case studies. Practice reading complex scenarios and answering questions that require holding multiple constraints in mind simultaneously.
💡 The Azure portal is available during the AZ-104 exam via a split-screen. This does not mean you can look everything up. Time pressure makes it impractical to search for basic information during the exam. Use it only for verification on questions where you are genuinely uncertain, not as a substitute for preparation.
💡 Consistent performance above 80% on Legend mode on ExamOS across five or more consecutive sessions is the clearest readiness signal for AZ-104. One strong session is not sufficient — stability matters more than peak performance.
💡 Review wrong answers at the reasoning level. For every missed question, identify which concept the scenario was testing and what your reasoning error was. That pattern analysis is more valuable than seeing more new questions.
Final step - Certification, validation, and what comes next
Before booking AZ-104, confirm stable performance above 80% on timed scenario-based practice across multiple sessions. Pay particular attention to networking and identity — these are the domains most candidates underestimate and where exam day surprises most often occur. AZ-104 is also the prerequisite for several important follow-on paths: AZ-305 (Azure Solutions Architect Expert) for architecture-level roles, AZ-400 (DevOps Engineer Expert) for DevOps and platform engineering roles, and SC-500 (Cloud and AI Security Engineer) for security-focused careers. Planning your follow-on path before you sit AZ-104 helps focus your preparation on the areas most relevant to where you want to go next. Use ExamOS daily practice to build the operational reasoning the exam tests and to track where your preparation is genuinely solid versus where it needs more work before you book.
Final step - Certification, validation, and what comes next
Before booking AZ-104, confirm stable performance above 80% on timed scenario-based practice across multiple sessions. Pay particular attention to networking and identity — these are the domains most candidates underestimate and where exam day surprises most often occur. AZ-104 is also the prerequisite for several important follow-on paths: AZ-305 (Azure Solutions Architect Expert) for architecture-level roles, AZ-400 (DevOps Engineer Expert) for DevOps and platform engineering roles, and SC-500 (Cloud and AI Security Engineer) for security-focused careers. Planning your follow-on path before you sit AZ-104 helps focus your preparation on the areas most relevant to where you want to go next. Use ExamOS daily practice to build the operational reasoning the exam tests and to track where your preparation is genuinely solid versus where it needs more work before you book.
Realistic timeline
- 2 hours per day: approximately 4-6 months for the complete path
- 3-4 hours per day: approximately 3-4 months
- Candidates with existing Azure or cloud administration experience: 8-12 weeks is realistic for exam-specific preparation
- Networking (Step 3) and Compute (Step 4) together represent up to 45% of the exam — allocate proportionally more time here
- Hands-on lab time counts as study time and produces better AZ-104 outcomes than passive reading — build real resources for every major topic
- Consistency across daily sessions produces better results than weekend marathon sessions
Embark on your career roadmap by setting a target and staying accountable
Set target